finallycoffee/matrix-docker-ansible-deploy
finallycoffee/matrix-docker-ansible-deploy
2
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
2,804 Commits 3 Branches 0 Tags 168 MiB
25e67b51d1
Commit Graph

268 Commits

Author SHA1 Message Date
sakkiii
25e67b51d1 Merge branch 'spantaleev:master' into master 2021-05-25 11:40:56 +05:30
sakkiii
3436f9c10a rename to matrix_nginx_proxy_hsts_preload_enabled 2021-05-25 00:56:59 +05:30
sakkiii
7cc5328ede Comments & Ref 2021-05-24 17:20:54 +05:30
sakkiii
df2d91970d matrix_nginx_proxy_xss_protection 2021-05-24 17:02:47 +05:30
Slavi Pantaleev
6f80292745
Add OCSP stapling support and other SSL optimizations to Hydrogen vhost 
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1061
and https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
 2021-05-21 13:40:37 +03:00
Slavi Pantaleev
d0de21ab34
Delete Hydrogen nginx configuration file when disabled 2021-05-21 12:58:32 +03:00
Aaron Raimist
04548f8df2
Merge branch 'master' into hydrogen 2021-05-21 04:09:18 -05:00
Aaron Raimist
9437f78c9e
Build using custom config.json, add CSP, update to 0.1.53 2021-05-21 03:45:21 -05:00
sakkiii
e9b878b9e9 Optimize SSL session 2021-05-18 19:39:43 +05:30
Slavi Pantaleev
e6afa05f7b Enable OCSP stapling for the federation port 
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057

Not sure if this is beneficial though.
 2021-05-18 08:15:42 +03:00
Slavi Pantaleev
57a6a98a50 Fix incorrect SSL certificate path 
Related to https://github.com/spantaleev/matrix-docker-ansible-deploy/pull/1057
 2021-05-18 07:58:47 +03:00
Slavi Pantaleev
b9c4e8ce16
Merge pull request #1057 from sakkiii/ssl_staple 
Enable OCSP Stapling
 2021-05-18 07:50:35 +03:00
sakkiii
d31b55b2a7 SSL-enabled block only 2021-05-18 03:24:06 +05:30
Slavi Pantaleev
e4dd933cf0 Make missing /_synapse/admin correctly return 404 responses 
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1058

We may try to capture such calls and return a friendlier response (HTML
or JSON) saying "The Synapse Admin API is not enabled", but that may not
be desirable.

For now, we stick to what "upstream" recommends: "simply
don't proxy these APIs", which should lead to the same kind of 404 that
we have now.
See here: 6660912226/docs/reverse_proxy.md (synapse-administration-endpoints)
 2021-05-17 11:45:35 +03:00
sakkiii
2c3da6599b Added warning 2021-05-15 16:07:52 +05:30
sakkiii
0dd4459799 matrix_nginx_proxy_ocsp_stapling_enabled variable added 2021-05-15 16:01:49 +05:30
sakkiii
c05021640d Enable OCSP Stapling 2021-05-15 15:57:05 +05:30
Aaron Raimist
ca361af616
Add Hydrogen 2021-05-15 04:23:36 -05:00
sakkiii
29cf6a0087 Merge branch 'spantaleev:master' into master 2021-05-10 15:10:18 +05:30
sakkiii
bb0810302d Merge branch 'spantaleev:master' into master 2021-05-07 23:03:55 +05:30
Béla Becker
b10655ebb1 Jitsi XMPP Websocket support 
Jitsi-meet enabled websockets by default, claiming better reliability.
Matrix-nginx-proxy configuration has been set up according to the
Prosody documentation: https://prosody.im/doc/websocket
 2021-05-05 19:10:58 +02:00
Dan Arnfield
cfaa3e598a Update nginx (1.19.10 -> 1.20.0) 2021-05-03 16:00:11 -05:00
sakkiii
40fe6bd5c1 variable matrix_nginx_proxy_hsts_preload_enable added 2021-04-24 20:04:20 +05:30
Slavi Pantaleev
389dc26615 Fix Synapse generic worker balancing 
Potentially fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/1022
 2021-04-24 11:52:45 +03:00
sakkiii
5b4fdf9b87 Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy 2021-04-24 12:15:34 +05:30
sakkiii
0ccf0fbf1c HSTS preload + X-XSS enables 
**HSTS Preloading:**
In its strongest and recommended form, the [HSTS policy](https://www.chromium.org/hsts) includes all subdomains, and indicates a willingness to be “preloaded” into browsers:
`Strict-Transport-Security: max-age=31536000; includeSubDomains; preload`

**X-Xss-Protection:**
`1; mode=block` which tells the browser to block the response if it detects an attack rather than sanitising the script.
 2021-04-24 12:12:34 +05:30
sakkiii
3564635f0f
Merge branch 'master' into master 2021-04-24 11:46:52 +05:30
sakkiii
29bba5161b Element More security headers 
More Production ready nginx headers for Matrix client element.
 2021-04-24 11:10:40 +05:30
Slavi Pantaleev
d691cc0920 Move variable definition a bit 2021-04-21 13:59:20 +03:00
Slavi Pantaleev
e00ef04b57 Add opt-out-of-FLoC headers by default 2021-04-21 13:58:24 +03:00
Slavi Pantaleev
4a1739f604
Merge pull request #1007 from teutat3s/fix/nginx-dont-send-version 
Don't expose nginx version with each response
 2021-04-18 21:33:11 +03:00
teutat3s
2bf7c26cfa
Don't expose nginx version with each response 2021-04-18 16:24:13 +02:00
sakkiii
1958d0792d Update matrix-client-element.conf.j2 2021-04-17 21:33:07 +05:30
sakkiii
b6d45c5fd8 Merge branch 'master' of https://github.com/sakkiii/matrix-docker-ansible-deploy 2021-04-17 21:03:26 +05:30
sakkiii
05042f5ff1 Improve security grafana 
- duplicate X-Content-Type-Options
- X-Frame-Options header
- Referrer-Policy [Might consider adding variable]
- Secure flag with cookies
- matrix_grafana_content_security_policy variable for [Content Security Policy](https://grafana.com/docs/grafana/latest/administration/configuration/#content_security_policy)
 2021-04-17 21:03:05 +05:30
sakkiii
5dc642ace1
Nginx element web: XSS protection & nosniff header 
X-XSS-Protection: 1; mode=block; header, for basic XSS protection in legacy browsers.
X-Content-Type-Options: nosniff header, to disable MIME sniffing
 2021-04-16 14:45:04 +05:30
Slavi Pantaleev
c7c137df74 Upgrade nginx and certbot 2021-04-14 13:24:41 +03:00
Ahmad Haghighi
e335f3fc77 rename matrix_global_registry to matrix_container_global_registry_prefix related to #990 
Signed-off-by: Ahmad Haghighi <haghighi@fedoraproject.org>
 2021-04-12 17:23:55 +04:30
Ahmad Haghighi
f52a8b6484 use custom docker registry 2021-04-12 17:23:55 +04:30
Christoph Johannes Kleine
fcd66b2889
rename variables 2021-03-30 16:41:32 +02:00
Christoph Johannes Kleine
8ba1105010
rename variable 2021-03-30 15:59:10 +02:00
Christoph Johannes Kleine
3a772f2f65
matrix-nginx-proxy: add custom nginx options to nginx.conf.j2 2021-03-30 14:11:20 +02:00
Dan Arnfield
97d8527e00 Update nginx (1.19.6 -> 1.19.8) 2021-03-24 09:42:08 -05:00
Slavi Pantaleev
06c74728eb Move matrix_nginx_proxy_proxy_synapse_federation_api_enabled definition to the role 
This variable was previously undefined in the role and was only getting
defined via `group_vars/matrix_servers`.

We now properly initialize it (and its good default value) in the role
itself.
 2021-03-23 10:28:32 +02:00
Slavi Pantaleev
9a0222fa47 Add Sygnal support 
Fixes https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/683
 2021-03-20 13:32:22 +02:00
Aaron Raimist
32b3650c12
Set X-Forwarded-Proto on federation requests 2021-03-17 18:51:10 -05:00
Aaron Raimist
466827139a
Also check if matrix_ssl_lets_encrypt_support_email is blank 2021-03-17 00:54:05 -05:00
Slavi Pantaleev
011e95c1d2
Merge pull request #893 from GoMatrixHosting/master 
matrix-awx - the GoMatrixHosting v0.3.0 initial PR
 2021-03-16 08:40:15 +02:00
Slavi Pantaleev
6181861ffe
Merge pull request #929 from Zir0h/master 
Added support for the Go-NEB bot
 2021-03-16 07:49:53 +02:00
Alexandros Afentoulis
28c255539c matrix-nginx-proxy: specify Origin header, comply with CORS 
Self-checks against the .well-known URIs look for the HTTP header
"Access-Control-Allow-Origin" indicating that the remode endpoint
supports CORS. But the remote server is not required to include
said header in the response if the HTTP request does not include
the "Origin" header. This is in accordance with the specification
[1] stating: 'A CORS request is an HTTP request that includes an
"Origin" header.'

This is in fact true for Gitlab pages hosting and that's why the
issue was identified.

Let's specify "Origin" header in the respective uri tasks performing
the HTTP request and ensure a CORS request.

[1] https://fetch.spec.whatwg.org/#http-requests
 2021-03-15 14:24:55 +02:00